The Jordanian access intermediary who sold credentials to feed Ransomware attacks was found guilty

A Jordanian man pleaded guilty in the United States for operating as what industry calls an "access broker": an intermediary who sells initial access to corporate networks and thus facilitates much more harmful attacks. According to the judicial documents, this individual - identified as Feras Khalil Ahmad Albashiti, 40, and known in forums under alias "r1z" - admitted to having placed on the market credentials and access to the infrastructure of at least 50 companies. The case arrived in the United States after the authorities obtained their extradition from Georgia in July 2024, and the sentence is scheduled for 11 May 2026.

The figure of access broker is not a mere passive intermediary: it is a key piece of the digital criminal ecosystem. These actors find or buy credentials, VPN access or entry points and sell them to Ransomware operators, computer spies or groups seeking to steal data. By facilitating entry, they reduce the technical barrier for those who perform the final damage and often multiply the impact of a single failure or filtration.

In the case of Albashiti, according to the prosecution, the evidentiary transaction occurred on 19 May 2023, when he sold access to an undercover agent who was posing as a buyer of credentials, receiving as a cryptomoneda payment. The charges that he accepted involved fraud related to access credentials and involved penalties that could reach 10 years in prison and fines amounting to $250,000 or twice the benefits or losses attributed to the crime, which illustrated how the US justice system was providing legal tools to punish such illegal business.

The fact that a defendant has been arrested and extradited does not mean that the problem has been resolved. On the contrary, the news fits a broader trend: arrests and investigations to dismantle networks of access intermediaries have increased in recent years. Last November, for example, another national - in that Russian case - pleaded guilty for acting as access broker for Ransomware Yanluowang affiliates who attacked companies in the United States. These movements have attracted the attention of security agencies and companies because the brokers allow criminal groups to scale up their operations efficiently.

Agencies and large technology companies have also warned about increasingly sophisticated tactics. Microsoft, for example, has alerted actors who exploit legitimate Windows utilities and techniques to evade endpoints-administered detection and response solutions (EDR), with the aim of installing and maintaining malware without being detected, which increases the risk that initial access will become a devastating attack. To read analysis and technical notices about these tactics, the security publications and blogs of suppliers and authorities are key resources: Microsoft's security page offers reports and guides on emerging threats in its analysis section ( Microsoft Security Blog), and in the United States the Agency for Infrastructure Security and Cybersecurity (CISA) maintains resources and warnings on ransomware and input vectors ( CISA - Ransomware Guidance).

The phenomenon raises questions of public policy and corporate security. From the legal point of view, pursuing those who sell access is useful and necessary, but by itself it does not reduce supply or demand: as long as there are weak credentials, poorly configured services or exposed accounts, there will be market. From a defensive perspective, organizations need to take measures that reduce the attack surface and detect abnormal patterns before an intruder can move laterally.

It is not just technology, but processes and culture: multifactor authentication, network segmentation, rigorous privilege management and constant monitoring are essential parts. The operational context also matters: the brokers study objectives to sell valuable access, so the visibility on which accounts have access to critical systems and the ability to respond quickly to committed credentials are decisive. Technical reports and threat analysis prepared by European organisations and research centres provide broader contexts on how this activity evolves and what practices help to mitigate it; for example, the European Union Agency for Cybersecurity publishes assessments and guides that help understand tactics and risk ( ENISA).

If there is a clear lesson in the succession of public cases and alerts: attacking the cybercrime economy requires action on multiple fronts. Arrests and extraditions affect supply and serve as a deterrent, but demand continues to exist as long as Ransomware operators and other cybercriminals get benefits. That is why, in addition to strengthening technical controls, it is crucial that companies and governments improve the exchange of information on sold intrusions and accesses, and that they work with intelligence and response providers to interrupt attack chains in the early stages.

The story of the access broker who pleaded guilty shows the commercial face of the threat: behind each committed credential there may be a seller who offers it to the best bidder, and behind each sale, a real risk for employees, customers and business continuity. Effective defence means understanding this illicit market, reducing exposure and articulating rapid and coordinated public-private responses. For those who want to look into why these figures are so dangerous and how companies can protect themselves, the pages of agencies such as the Department of Justice and specialized security publications are a good starting point ( Department of Justice - Press Releases).